howto/ldap.md

@@ -2125,6 +2125,7 @@ Directory standard).
  * [phpLDAPadmin][]: like [phpMyAdmin][] but for LDAP, for "power users",
    long history of critical security issues
  * [web2ldap][]: web interface, python, still maintained, not exactly intuitive
+ * [Fusion Directory](https://www.fusiondirectory.org/)
 
 [phpMyAdmin]: https://www.phpmyadmin.net/
 [ldap-user-manager]: https://github.com/wheelybird/ldap-user-manager
@@ -2157,7 +2158,11 @@ using the [django-auth-ldap][] authentication plugin.
  * [FreeIPA][]: similar, except built on top of 389 DS, the Fedora
    LDAP thing
  * [Authelia][]: single sign-on, 2fa, OIDC connect
- * [Authentik][]: single sign-on, 2fa, OIDC, SAML, LDAP, proxy, metrics
+ * [Authentik][]: single sign-on, 2fa, OIDC, SAML, LDAP, proxy,
+   metrics
+ * [LemonLDAP-ng](https://lemonldap-ng.org/), [packaged in Debian](https://tracker.debian.org/pkg/lemonldap-ng)
+
+See also [mod_auth_openidc](https://github.com/OpenIDC/mod_auth_openidc) for an Apache module supporting OIDC.
 
 A solution could be to deploy Keycloak or some SSO server on *top* of
 the current LDAP server to provide other applications with a single
@@ -2167,6 +2172,23 @@ swap ud-ldap out if we need to, replacing bits of it as we go.
 [Authelia]: https://www.authelia.com/
 [Authentik]: https://goauthentik.io/
 
+#### Keycloak
+
+Was briefly considered at Debian.org which ended up using GitLab as an
+identity provider (!). Concerns raised:
+
+ * [this post](https://lists.debian.org/debian-project/2020/04/msg00006.html) mentions "jboss" and:
+   - no self service for group or even OIDC clients
+   - no U2F (okay, GitLab also still needs to make the step to webauthn)
+
+See also [this discussion](https://lists.debian.org/debian-project/2020/04/msg00000.html) and [this one](https://lists.debian.org/debian-devel/2017/08/msg00465.html).
+
+#### LemonLDAP
+
+https://lemonldap-ng.org/
+
+ * has a GPG plugin
+
 ### Others
 
  * [LDAP synchronization connector][]: "Open source connector to